In October 2015, the European Court of Justice declared the EU-U.S. Data Privacy Safe Harbor invalid. For the 200+ U.S. companies which had relied on the Safe Harbor to transfer personal data from the EU to the U.S., this meant that such transfers were no longer legal. The U.S. and the EU almost immediately started working on a successor mechanism to replace the invalid Safe Harbor. In the meantime, however, the national data protection authorities of the EU member states started imposing fines on U.S. companies which relied on the Safe Harbor but failed to take corrective actions once it was declared invalid.
The U.S. and EU Commission eventually worked out a replacement called the Privacy Shield. After months of debate, the Privacy Shield was approved by the EU member states on July 8, 2016. Formal ratification is expected the week of July 11.
Overall this is good news for U.S. companies. But U.S. companies which relied on the Safe Harbor should not immediately jump for joy. Our initial review of the Privacy Shield is that it works essentially like the Safe Harbor, but the U.S. and EU just added more teeth—including the ability of EU data subjects rights to bring a claim for failure to observe the Privacy Shield. That could lead to more litigation in this area. A more fundamental problem, however, is that the Privacy Shield may be insufficiently weak under EU law (even though it seems remarkably strong to most U.S. companies). The Privacy Shield almost certainly will be challenged. Many experts do not give it much chance to avoid the fate of the Safe Harbor.
So what should U.S. firms do? Well, if the U.S. firm did not rely on the Safe Harbor, but instead relied on another exception to transfer data from the EU to the U.S., the approval of the Privacy Shield does not affect them. The situation is different for those U.S. firms which had relied on the Safe Harbor and have not done anything since it was declared invalid last year. The options now are (1) to register under the Privacy Shield and hope that it holds up long enough to justify the time and costs invested in complying with its requirements or (2) determine whether one of the other ways to legally transfer data from the EU to the U.S. makes more sense.